NTLM authentication worked in Squid 2.7.STABLE8 Squid Web Proxy, now need it in v3.5 hosted on Windows server 2k12

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

NTLM authentication worked in Squid 2.7.STABLE8 Squid Web Proxy, now need it in v3.5 hosted on Windows server 2k12

Todd Pearson

I am hosting the squid proxy on Windows 2K12 server.   Squid 2.7.STABLE8 Squid Web Proxy version worked well for authentication until recent Windows 10 update killed Sha1.  Now I am upgrading to squid proxy version 3.5.x.x to restore authentication.  

The below settings are longer available in the 3.5.x.x version since the progams do not exist for the new version:

auth_param ntlm program c:/squid/libexec/mswin_ntlm_auth.exe

external_acl_type win_domain_group %LOGIN c:/squid/libexec/mswin_check_ad_group.exe -G


What are the equivalent setting for v 3.5.  Once again I am in windows environment.  





_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: NTLM authentication worked in Squid 2.7.STABLE8 Squid Web Proxy, now need it in v3.5 hosted on Windows server 2k12

Amos Jeffries
Administrator
On 27/06/17 12:06, Todd Pearson wrote:
>
> I am hosting the squid proxy on Windows 2K12 server.   Squid 2.7.STABLE8
> Squid Web Proxy version worked well for authentication until recent
> Windows 10 update killed Sha1.  Now I am upgrading to squid proxy
> version 3.5.x.x to restore authentication.

FYI: upgrading to Squid-3 will not solve that problem by itself. The
helpers in both Squid series are performing the same logic, with the
same crypto limitations.

The core problem is that NTLM protocol itself is not capable of anything
actually considered secure these days. It was declared EOL by MS more
then 11 years ago, so loss of NTLM related things in Win10 is hardly a
surprise.

To solve your auth problem what you need is actually a migration to
Kerberos authentication (Negotiate auth). You might find that slightly
easier after the Squid-3 upgrade, but the two are really independent
changes.


>
> The below settings are longer available in the 3.5.x.x version since the
> progams do not exist for the new version:
>
> auth_param ntlm program c:/squid/libexec/mswin_ntlm_auth.exe
>
> external_acl_type win_domain_group %LOGIN
> c:/squid/libexec/mswin_check_ad_group.exe -G
>
>
> What are the equivalent setting for v 3.5.  Once again I am in windows
> environment.

The helpers still exist, they just got renamed to follow a structured
taxonomy:
<http://www.squid-cache.org/Versions/v3/3.2/RELEASENOTES.html#ss2.6>


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: NTLM authentication worked in Squid 2.7.STABLE8 Squid Web Proxy, now need it in v3.5 hosted on Windows server 2k12

Todd Pearson

Thank you for the information.  Is there any place to download the helper binaries for NTLM?  Or do I need to build them myself?

Is there additional information on kerberos configuration in a windows environment.  Trying to wrap my head around the keytab and creation of it in a windows only environment.

From: Amos Jeffries <[hidden email]>
To: [hidden email]
Sent: Tuesday, June 27, 2017 8:40 AM
Subject: Re: [squid-users] NTLM authentication worked in Squid 2.7.STABLE8 Squid Web Proxy, now need it in v3.5 hosted on Windows server 2k12

On 27/06/17 12:06, Todd Pearson wrote:
>
> I am hosting the squid proxy on Windows 2K12 server.  Squid 2.7.STABLE8
> Squid Web Proxy version worked well for authentication until recent
> Windows 10 update killed Sha1.  Now I am upgrading to squid proxy
> version 3.5.x.x to restore authentication.

FYI: upgrading to Squid-3 will not solve that problem by itself. The
helpers in both Squid series are performing the same logic, with the
same crypto limitations.

The core problem is that NTLM protocol itself is not capable of anything
actually considered secure these days. It was declared EOL by MS more
then 11 years ago, so loss of NTLM related things in Win10 is hardly a
surprise.

To solve your auth problem what you need is actually a migration to
Kerberos authentication (Negotiate auth). You might find that slightly
easier after the Squid-3 upgrade, but the two are really independent
changes.



>
> The below settings are longer available in the 3.5.x.x version since the
> progams do not exist for the new version:
>
> auth_param ntlm program c:/squid/libexec/mswin_ntlm_auth.exe
>
> external_acl_type win_domain_group %LOGIN
> c:/squid/libexec/mswin_check_ad_group.exe -G
>
>
> What are the equivalent setting for v 3.5.  Once again I am in windows
> environment.

The helpers still exist, they just got renamed to follow a structured
taxonomy:
<http://www.squid-cache.org/Versions/v3/3.2/RELEASENOTES.html#ss2.6>


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users




_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: NTLM authentication worked in Squid 2.7.STABLE8 Squid Web Proxy, now need it in v3.5 hosted on Windows server 2k12

Amos Jeffries
Administrator
On 28/06/17 05:12, Todd Pearson wrote:
>
> Thank you for the information.  Is there any place to download the
> helper binaries for NTLM?  Or do I need to build them myself?
>

Since you were using the SSPI helper for NTLM you should have the
Negotiate/Kerberos equivalent already. It is mswin_sspi in Squid-2 or
negotiate_sspi_auth in Squid-3.2+. The group checking helpers work with
both auth types.

Diladele provide Squid-3 builds for Windows
(<http://squid.diladele.com/>) if you are still going that way.


> Is there additional information on kerberos configuration in a windows
> environment.  Trying to wrap my head around the keytab and creation of
> it in a windows only environment.


This may be of help understanding what the Kerberos process is:
<http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos>

though the config examples and setup commands we have are all for
non-Windows Squid machines it seems.


PS. I don't use Windows Squid servers myself, so cant be much help here.
Maybe someone more familiar can help out.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: NTLM authentication worked in Squid 2.7.STABLE8 Squid Web Proxy, now need it in v3.5 hosted on Windows server 2k12

Todd Pearson
I appreciate the input.  Do you (or anyone else) know if keytab is required in a windows only environment for kerberos authentication?



From: Amos Jeffries <[hidden email]>
To: Todd Pearson <[hidden email]>; "[hidden email]" <[hidden email]>
Sent: Tuesday, June 27, 2017 10:37 AM
Subject: Re: [squid-users] NTLM authentication worked in Squid 2.7.STABLE8 Squid Web Proxy, now need it in v3.5 hosted on Windows server 2k12

On 28/06/17 05:12, Todd Pearson wrote:
>
> Thank you for the information.  Is there any place to download the
> helper binaries for NTLM?  Or do I need to build them myself?
>

Since you were using the SSPI helper for NTLM you should have the
Negotiate/Kerberos equivalent already. It is mswin_sspi in Squid-2 or
negotiate_sspi_auth in Squid-3.2+. The group checking helpers work with
both auth types.

Diladele provide Squid-3 builds for Windows
(<http://squid.diladele.com/>) if you are still going that way.


> Is there additional information on kerberos configuration in a windows
> environment.  Trying to wrap my head around the keytab and creation of
> it in a windows only environment.


This may be of help understanding what the Kerberos process is:
<http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos>

though the config examples and setup commands we have are all for
non-Windows Squid machines it seems.


PS. I don't use Windows Squid servers myself, so cant be much help here.
Maybe someone more familiar can help out.


Amos



_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Loading...